Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

How to make large credit card breaches not economically viable

Weston Hecker

8-June-2015 Polluting the data lowers the validity rate of stolen card numbers.



When he speaks at SC Congress Toronto, Weston Hecker will tell listeners that his credit card info was one of 40 million stolen in the Target breach.

“It got me thinking about how people can stop data theft,” he said. “Companies have billions of dollars in technology, yet they’re regularly breached. If I were the thief, what would stop me from selling credit cards?”

After searching for sellers of that credit card info, he realized that the saleability of a card and indeed its price, is dictated by the validity rate.

Card stolen in the Target breach have a 26% validity rate. Meaning if you bought four of them – at $4.50 per number – one of them would work.

According to Hecker, those taken in Zuckerberg breach are selling for $65, depending on the bank issuer.

Using the BIN – the first digits on the card – it’s possible to know the issuing bank, where to use a stolen card number safely, and the amount of fraudulent purchase you can make with a given card number without arousing suspicion.

“If I try to use a number in the local area from where it was stolen, I’d be flagged, Hecker said. “In Toronto for example, I could use an American card for fraudulent purposes and there’d be no suspicion. Prestigious banks have higher Point of Sale (POS) limits, so I can buy higher ticket items.”

Validity rate is important, because if one card gets declined, that’s not suspicious. A purchaser attempting with second and third cards that are declined is suspicious. Even if people are making fraudulent purchases on line, the second you use two different people’s cards you’re flagged.

His solution is SkimBad, software that injects thousands of credit card numbers around legitimate ones. Deliberately polluting the stolen card numbers with thousands of randomly generated additional numbers, and thereby lowering the validity rate of the stolen card information.

“It’s open source free software that works very well against all the POS skimming software,” said Hecker. “It’s automated installation, and well compiled.”

While some of the randomly generated numbers won’t be valid bank numbers, those that do are indecipherable from the real thing.

“Statistically they look valid… it’s not until you try to process them that they are flagged,” he said. “Until the credit processor runs them, and that’s when you get flagged as invalid.”

So many false credit card numbers would lower the validity rate, and therefore the selling price, of stolen credit card information.

“This would stop big breaches, because the validity rates would be less than a year old Target breach,” said Hecker. “You can’t sell them on the dark web if they have less than a 15% validity rate.”

Even if the thief set up a false processor to run the card numbers prior to selling, it would be improbable if not impossible to scrub these credit card batches.

Sometimes come with PIN info, because some advanced skimmers grab keystrokes.

“I was able to test it against 11 skimming variants and every one was blocked by the software,” Hecker said. “They couldn’t put those cards up for sale. You’d have to clone several thousand cards to make one purchase. There’s no way to scrub the card, such as run 1 cent on every card. The card numbers SkimBad generates will have valid numbers, because they’re random.”

Imagine a large retailer processing 63 credit card transactions per second. Now imagine that retailer has been breached and malware installed on its POS systems.

“The malware searches and sends a web request to the Command and Control Center, and instead of 63 per second, it’ll be running 6,500 per second,” said Hecker. “And they’re not going to the credit processor… they’re going to the malware server the bad guys are talking to. Had those companies with large breaches been running this software, they’d have noticed the problem sooner.”

Currently he’s trying to keep the software open source and free.

“We incorporate it into some hotel chain and property management software. A smaller shop can install it for free.”

At security conferences Hecker gets a POS system set up and runs Skimbad in the background. “We’ll have 30-40,000 by the end of the event,” he said.

You can see a demonstration in a video of Hecker’s DEF CON presentation here.